Report a Vulnerability
Submit, help fixing, get kudos.
Start a Bug Bounty
Run your bounty program for free.
553,570 coordinated disclosures
355,588 fixed vulnerabilities
837 bug bounties with 1,619 websites
17,252 researchers, 1151 honor badges

Personyze LC Bug Bounty Program

Personyze LC runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Personyze LC

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Personyze LC and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.personyze.com
*.personyze.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

PLEASE READ CAREFULLY:
Vulnerability types that qualify for the program include in the https://counter.personyze.com/stat-track-lib.js only :

Depending on their impact, not all reported issues may qualify for a monetary reward. Please refrain from:
Denial of Service (DoS) or performing other actions that may negatively affect Personyze users (spam)
Accessing private information (so use test accounts)
Sending reports from automated tools without verifying them
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
WordPress issues, sites builts on WordPress
Rendering HTML content without security impact. Rendering HTML content must demonstrate javascript execution or some other malicious action.
Triggering emails to be sent to another users account
Pages and content cached after logout
Password complexity requirements
User or account ID enumeration
Issues related to software or protocols not under Personyze control
Vulnerabilities in third-party applications or services which use or integrate with Personyze
wiki.personyze.com
blog.Personyze.com / www.Personyze.com/blog - WordPress,
cdn.personyze.com - an internal-only site
counter.personyze.com
Vulnerabilities in third-party applications that are integrated with the Personyze product via developer platform components, such as OAuth and Canvas
Dangling DNS Records - Issues related to stale CNAME records or any other DNS record
Vulnerabilities affecting users of outdated browsers or platforms
Social engineering of Personyze staff or contractors or physical attempts against property
Reports relating to email spoofing (inadequate SPF, DKIM and DMARC configurations)
Reports relating to HSTS - we can't enable it yet but plan to
Reports related to shared computer accounts
Support system accessed via the 'Provide Feedback' link.
Generally, non-qualifying Web-related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category - https://sites.google.com/site/bughunteruniversity/nonvuln

Testing Requirements:

PLEASE READ CAREFULLY:
Vulnerability types that qualify for the program include in the https://counter.personyze.com/stat-track-lib.js only :
Personyze customers embed a small Javascript snippet into their web pages. This javascript is served from a CDN. The javascript contains the logic for the personalization. This is the most sensitive part of our product and we are particularly interested in vulnerabilities related to this snippet.
Vulnerability types that qualify for the program include in the https://counter.personyze.com/stat-track-lib.js only :
Cross-Site Scripting
SQL Injection
Remote Code Execution
Cross-Site Request Forgery
Directory Traversal

Possible Awards:

Technical severity under https://counter.personyze.com/stat-track-lib.js:
Critical $100
Severe $50
Not include any issues under www.personyze.com

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  How quickly researchers get responses to their submissions.
Remediation Time  How quickly reported submissions are fixed.
Cooperation and Respect  How fairly and respectfully researchers are being treated.

Researcher's comments

    30 July, 2020
    pwn_box:
Hello team can you please share you email so that I can report the bug apart from these .

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

  Latest Patched

 05.08.2020 fau.edu
 05.08.2020 rta.ae
 05.08.2020 thisismoney.co.uk
 05.08.2020 bayt.com
 05.08.2020 satkurier.pl
 05.08.2020 mysurvey.com
 05.08.2020 mustit.co.kr
 04.08.2020 hardware.fr
 04.08.2020 gamemeca.com
 04.08.2020 affinity.com

  Latest Blog Posts

24.06.2020 by Gkexamquiz
How to Find Contacts To Report Bugs & Security Vulnerabilities | Bug Bounty Tutorials 2020
24.06.2020 by 0xcrypto
Improper Access Control - Generic: Unrestricted access to any "connected pack" on docs in coda.io
04.04.2020 by Rando02355205
(Alibaba) message.alibaba.com [IDOR] - [Bug Bounty]
12.03.2020 by Rando02355205
(Paypal) www.paypal.com [CSP High Level] - [XSS Reflected] - [Bug Bounty] - [Write Up]
08.03.2020 by CybeReports
JDECO.net XSS Vulnerability| CybeReports

  Recent Recommendations

    6 August, 2020
     Robert_CMI:
Thank you Rajesh for reporting vulnerabilities on our website, your quick and detailed response was very valuable to us!
    6 August, 2020
     StefanCink:
Thanks to @singhnitesh21 we were able to close a vulnerability on our website asap. Thank you!
    5 August, 2020
     kkb5mobile:
Thank you for pointing out the vulnerability.
Thanks to you, I was able to respond safely.
    5 August, 2020
     h_ono:
Great work, thanks for finding a bug and kindly reporting it.
    5 August, 2020
     PGSOC1:
Numan has responsibly reported a CSRF vulnerability on our website. We credit Numan for responsible disclosure.